Xen has had a history of security issues, but they're good about providing bug-fix only patches. As long as the server team will be doing security support of this, I'm fine with these 2 binary packages being in main. I would prefer the rest stay in universe.

To be clear, the security team would track and publish issues. We would usually patch them as well. What would be needed here is occasionally patch support when the security team needs help and members of the server team are more familiar with the code, and testing support where the security team does not have the infrastructure.